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Abstract. In this paper we investigate fair computations in the vr-calculus . Following 
Costa and Stirling's approach for CCS-like languages |10l , we consider a method to 
label process actions in order to filter out unfair computations. We contrast the existing 
fair-testing notion |35l 126) with those that naturally arise by imposing weak and strong 
fairness. This comparison provides insight about the expressiveness of the various 'fair' 
testing semantics and about their discriminating power. 



1. Introduction 

One of the typical problems of concurrency is to ensure that all the tasks that are 
supposed to be executed do not get postponed indefinitely in favor of other activities. This 
property, which is called fairness, can be implemented by using a particular scheduling 
policy that excludes unfair behavior. For instance, in Pict |33], (weak) fairness is obtained 
by using FIFO channel queues and a round-robin policy for process scheduling. A stronger 
property (strong fairness) is obtained by using priority queues. 

Of course in practice it is not feasible to impose that all implementations adopt a certain 
scheduler. One reason is that, depending on the underlying machine, one scheduling policy 
may be much more efficient than another one. Hence fairness has been studied, since the 
beginning of the research on Concurrency, as an abstract property and independently from 
the implementation. 
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1.1. Fairness in literature. Most of the common notions of fairness share the same gen- 
eral form: "Every entity that is enabled sufficiently often will eventually make progress." 
Varying the interpretations of ^entity'' and ^sufficiently often'' leads to different notions of 
fairness. 

Kuiper and de Roever [18] identified a wide hierarchy of fairness notions for the CSP 
language (channel fairness, process fairness, guard fairness, and communication fairness), 
according to the entity taken into account (respectively channel, process, guard and com- 
munication). Each of these fairness notions have a weak and a strong variant, which differ 
in the interpretation of sufficiently often: weak forms of fairness are concerned with contin- 
uously enabled entities, whereas strong forms of fairness are concerned with the infinitely 
enabled entities. 

Independently, Costa and Stirling investigated (weak and strong) fairness of actions 
for a CCS-like language without restriction in [10] , and fairness of components for the full 
CCS in [11]. An important result of their investigation was the characterization of fair 
executions in terms of the concatenation of certain finite sequences, called LP-steps. This 
result allowed expressing fairness as a local property instead than a property of complete 
maximal executions. 

Although [18] and |10| [TT] seem to define different fairness varieties, there is a corre- 
spondence between some notions in the two approaches (up to the language on which the 
study is based): guard fairness corresponds to fairness of actions, while process fairness 
corresponds to fairness of components. However, the communication mechanism of the 
languages chosen for the study - CSP in [ISj and CCS in |[iOl [H] - modifies the interrela- 
tionships among notions. In fact, in CSP processes communicate by name, each channel 
corresponds precisely to a pair of processes, i.e only two processes communicate along any 
given channel and only one channel is used between any two processes; on the other hand, 
in CCS any number of processes may communicate along a given channel, and two processes 
may communicate along any number of channels. This implies that some fairness notions 
are related in CSP while they are not related in CCS. For example, while every channel- fair 
computation is also process-fair in CSP (|15|). in CCS it is possible for a particular channel 
to be used sufficiently often and yet for another process to become blocked while trying to 
use that same channeO 

Hennessy fT6] introduced the concept of fairness in his acceptance trees model, by adding 
limit points indicating which infinite paths are fair. The notion of fairness incorporated into 
this semantics is a form of unconditional fairness: an infinite execution is considered fair if 
every process makes infinitely many transitions along that computation. 

Francez [TF characterized the notions of fairness in [18] in terms of a so-called machine 
closure property and by means of a topological model. 

Fairness has also been investigated in the context of probabilistic systems. Koomen 
|21) explained fairness with probabilistic arguments: the Fair Abstraction Rule establishes 
that no matter how small the probability of success is, if one tries often enough one will 
eventually succeed. Pnueli introduced in [32] the notion of extreme fairness and a-fairness, 
to abstract from the precise values of probabilities. 

'^It suffices to consider the term d | \a.d \ d, where a and d denote actions of input and output on channel 
a, respectively, and \a.d denotes a process which can perform infinitely often an input on channel a, followed 
by an output on the same channel. Although channel a must be used infinitely often along any infinite 
computation, it is possible under channel fairness that the leftmost d is ignored, while the right-most d 
synchronizes continually with the process \a.d. This is not the case under process fairness. 
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1.2. Fairness in bisimulation equivalences and testing semantics. Observational 
equivalences and preorders can have different bearings with respect to fairness. In particular, 
this is the case of testing preorders [12] and bisimulation equivalences \24\ |3T| . 

The first framework was presented by De Nicola and Hennessy in their seminal work 
[T2] , where they proposed the concept of testing and defined the must- and the may-testing 
semantics, as well as their induced preorders. Given a process P and a test (observer) o, 

- P may o means that there exists a successful computation from P \ o (where | is the 
parallel operator, and successful means that there is a state where the special action uj is 
enabled); 

- P must o means that every maximal computation from P | o is successful; 

- The preorder P <gQf Q means that for any test o, P sat o implies Q sat o, where sat 
denotes may or must ; 

- The equivalence P ^ga^ Q means P <g(if; Q and Q <g(ii P- 

The second framework |24| l3T] arises from the principle of (mutual) simulation of sys- 
tems. The prime representatives of this family are bisimilarity and observation congruence 
|24j . In particular, weak bisimulation incorporates a particular notion of fairness: it ab- 
stracts from the r-loops (i.e infinite sequences of r - or internal - actions) in which the 
"normal" behavior can be resumed each time after a finite sequence of r-actions. Such a 
property can be useful in practice - for instance for communication protocols in systems with 
lossy communication media, which retransmit lost messages. There is a fairness principle 
implicitly associated with such systems, based on the assumption that the path which stays 
in the loop forever is not a possible behavior of the system. Interesting proofs of protocol 
correctness based on this principle are given in [H [25] . 

Bisimulation equivalences are usually rather strict, since they depend on the whole 
branching structure of processes, which in some cases may be not relevant. On the other 
hand, most of the standard testing preorders interpret r-loops as divergences, making them 
quasi-observable. In fact, the must-predicate on P | o immediately fails if P is able to do a 
r-loop that never reaches a successful state. Hence, while the standard testing equivalences 
are coarser than weak bisimulation in the case of divergence- free processes, they are not 
comparable with the latter in general. 

In [35] and in [26] a new testing semantics was proposed to incorporate the fairness 
notion: the /air-testing (aka s/iouW-testing) semantics. In contrast to the classical must- 
testing (semantics), /air-testing abstracts from certain r-loops. This is achieved by stating 
that the test o is satisfied if success always remains within reach in the system under test. 
In other words, P fair o holds if in every maximal computation from P \ o every state can 
lead to success after finitely many interactions. The characterizing semantics for /air-testing 
and a similar testing scenario can already be found in [38 . 

The relation between bisimulations and /air-testing was investigated in [13], in the 
context of name-passing process calculi like the asynchronous vr-calculus [19] and the join- 
calculus [14^ . The authors of [13] presented a hierarchy of equivalences obtained as variations 
of Milner and Sangiorgi's weak barbed bisimulation. In particular, they proved that the 
coupled barbed equivalence strictly implies the /air-testing equivalence. They also showed 
that those relations coincide in the join-calculus and on a restricted version of the asyn- 
chronous vr-calculus, called local vr-calculus, where reception occurs only on names bound 
by a restriction (not on free and received names). 
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Another relation motivated by the aim of incorporating in must-testing the fairness 
property of observation congruence is the acceptance-testing, which was defined and studied 
in [5]. This relation is captured by the failures model but, in contrast to must-testing, it 
does not yield a precongruence with respect to abstraction (or hiding) , a construction which 
internalizes visible actions and may thereby introduce new divergences. 

The probabilistic intuitions motivating the Koomen's rule inspired another approach 
to incorporate fairness in a testing semantics [29]. The authors of f29] defined a proba- 
bilistic must-semantics in which a (probabilistic) process must-satisfy a test if and only 
if the probability with which the process satisfies the test equals 1, and proved that two 
non-probabilistic processes are /air-equivalent if and only if their probabilistic versions are 
equivalent in the probabilistic testing semantics. 

1.3. The goal of this work: A study of testing semantics with implicit and explicit 
fairness. Fair-testing is an appealing equivalence. Some of its advantages are that it detects 
deadlocks and implements fairness. It has also been used in various works. For example, [6] 
uses the /air-testing preorder as an implementation relation for distributed communication 
protocols. 

The purpose of our study is to try to make operationally explicit the fairness assump- 
tion which is implicit in the /air-testing semantics. The advantages of the formulation in 
operational terms is to have a better understanding of this notion. Also, it can help elim- 
inating some of the known drawbacks: for example, /air-testing abstract fairness is not 
enforced by practical scheduling policies, and direct proofs of equivalence are very difficult 
because they involve nested inductions for all quantifiers in the definition of /air-testing and 
all evaluation contexts. 

In contrast to [27 we want to keep invariant the original testing scenario and try to 
characterize (or approximate) /air-testing semantics - which does not involve any probability 
assumption - in term of a non-probabilistic testing semantics equipped with some explicit 
fairness notion. 

We proceed as follows: 

• We consider the choiceless vr-calculus [25j| and we develop for it an approach to fairness 
(of actions) similar to that which has been proposed in |1U| [TT] for CCS-like languages 
|24] . More precisely, we define (i) a labeling method for vr-calculus terms that ensures 
that no label occurs more than once in a labeled term (unicity), that a label disappears 
only when the corresponding action is performed (disappearance) , and that, once it has 
disappeared, it will not appear in the computation anymore (persistence), (ii) the notion 
of live action, which refers to the fact that the action can currently be performed, and 
(iii) weak and strong fairness of actions. 

• We then contrast the existing /air-testing semantics \35\ [26] with those that naturally 
arise by imposing weak and strong fairness |10| [TT] on a must-testing semantics. 

In the following we justify our choices, and describe in detail our setting and results. 

1.4. The choiceless vr-calculus. The choiceless vr-calculus is essentially the vr-calculus 
without the choice operator (-I-). This seems a rather appealing framework to study fairness. 
In fact, the choice operator is a bit controversial with respect to fairness, because it is not 
clear what fairness should mean in the case of a repeated execution of a choice construct. 
In [TT] the continuous selection of the same branch of a choice construct turns out to be 
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fair, while other researcher would not agree to consider fair this kind of computation. The 
reason why it is fair in [11] is that when the action that has not been selected comes back 
in the recursive call, it is considered a new action, and it is relabeled. On the contrary, in 
other approaches, like for instance [18], the guards that come back are precisely the object 
of weak fairness. 

On the other hand, thanks to the fact that the restriction operator 'V allows the 
creation of new names and the scope extrusion, the vr-calculus is more expressive than 
CCS, and it is possible to represent in it various types of choices in a compositional way by 
means of the parallel operator (see [271 [2H1 EO] ) . In particular, the internal choice and the 
input-guarded choice. For example, the term (z^a)(a | a.b.O \ a.c.O) represents the internal 
choice between b and c. If we want to repeat the execution of this choice, we use the 
replication operator "!" which creates an arbitrary number of copies of the argument. The 
issue of fairness depends on where we place "!" in the term: !(z^a)(a | a. 6.0 | a.c.O) can 
produce an infinite sequence of "b"'s, and the corresponding computation is considered fair 
because the subterms a.b.O, a.c.O have only one copy of a in the same scope, so if such copy 
synchronizes with a. 6.0, then a.c.O will be disabled forever. In a sense, the term represents 
a new choice each time. On the contrary, (j^a)!(a | a. 6.0 | a.c.O) can also produce an infinite 
sequence of "b"'s, but the corresponding computation is not fair because all the copies of 
a are in the same scope and therefore a.c.O is always enabled. In a sense, here we repeat 
always the same choice. 

We find that the reduction of choice to the parallel operator brings some insight to the 
relation between repeated choice and fairness, in the sense that the definition of fairness for 
the various kinds of combination of choice and repetition stems naturally from the definition 
of fairness for the parallel operator. 

1.5. The labeling method. In |10| lllj . labels are flat sequences of I's and 2's and are 

assigned to operators according to the syntactic structure of the term, without distinguishing 
between static and dynamic operators. In our approach, labels are pairs {s, n) in ({0, 1}* xN) 
and are associated to prefix and replication operators; restriction and parallel operators do 
not get a label on their own. In contrast to [lOl [TT] . the aim is to keep separated the 
information about static and dynamic operators and avoid labels which (at least for our 
purpose) are superfluous, thus making more intuitive their role in the notion of fairness. 

The first component of a pair, s, represents the position of the process (whose top- 
level operator is associated to that label) in the term structure, and it depends only on 
the (static) parallel operator. This component ensures the unicity of a label. The second 
component, n, provides information about the dynamics of the process in the term structure. 
More precisely, it indicates how many actions that process has already executed since the 
beginning of the computation, and it depends only on the (dynamic) prefix operator. This 
second component serves to ensure the persistence property of a label. 

Informally, a label {s, n) denotes unambiguously a parallel process - the one associated 
to s - and a precise action of it - the one nested at level n in the original term. Note that: 
(i) all the actions of a parallel process share the first label component s and they only differ 
from the second component n; (ii) actions of different parallel processes at the same level 
share the second label component n and are distinguished by the first component s. 

We give now an example to illustrate the difference with the labeling method of |10| [TT] . 
We recall that in |10| [TT] the labels are assigned essentially by using the tree representing 
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Figure 1: Tree-representation of labeled terms. 

the abstract syntax of the term: we add 1 to the string representing the label on the left 
branch, and 2 on the right branch. 

Example 1.1. Consider the term S" = x(y).((z^z)(z(A;).0 | zh.O)) \ a{u).0. The left-most 
tree in Figure [T] is the the labeling of S in the approach of |10l [TT] , while the right-most one 
is the the labeling of S in our approach. The representation of both labeled terms in the 



usual linear syntax is given in Example 4.7 



1.6. Testing with explicit fairness vs. fair-testing. The labeling method allows defin- 
ing weak- and strong-fair computations. Using these notions, we adapt musi-testing se- 
mantics [2j to obtain what we call weak-fair must-testing semantics and strong-fair must- 
testing semantics. Then we compare these two ^ fair'' -testing semantics with the /azr-testing 
|35l [26] . that does not need any labeling of actions, and with the standard must-testing. 
This comparison reveals the expressiveness of the various testing semantics we consider. In 
particular: 

• we show that weak-fair must testing is strictly stronger than strong-fair must testing, 

• we show that must-testing is strictly stronger than weak-fair must testing, 

• we prove that strong-fair must testing is strictly stronger than /air-testing, 

• we prove that strong-fair and weak-fair must-testing cannot be characterized by a notion 
based on the transition tree, like /air-testing. 

1.7. Roadmap of the paper. The rest of the paper is organized as follows. Section [2] 
recalls the definition of the vr-calculus. Section [3] recalls the definition of the must-testing 
and the /air-testing semantics. Section |4] shows the labeling method and its main proper- 
ties. Weak-fair must- and strong-fair must-testing semantics are defined in Section [5] and 
compared in Section [6} Finally, in Section [7] we investigate why strong and weak fairness 
notions are not enough to characterize /air-testing semantics. Section [8] contains some con- 
cluding remarks and plans for future work. All the proofs omitted in the body of the paper 
are in the appendixes. 
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2. The tt-calculus 

We briefly recall here the basic notions about the (choiceless) vr-calculus. Let N (ranged 
over by X, y, . . . ) be a set of names. The set V of processes (ranged over by P, Q, i2, . . . ) 
is generated by the following grammar: 

P ::= I x{y).P | xy.P | P|P | {vx)P | \P 

The input prefix y(x).P, and the restriction {ux)P^ act as name binders for the name x in 
P. The free names fn{P) and the bound names hn{P) of P are defined as usual. The set 
of names of P is defined as n{P) = fn{P) U hn{P). 

The operational semantics of processes is given via a labeled transition system, whose 
states are the process themselves. The labels (ranged over by /i,7, ...) "correspond" to 
prefixes, input xy and output xy, and to the bound output x{y) (which models scope 
extrusion), /j, = xy ov fi = xy or fj, = x{y) we define sub[^) = x and ohj[^) = y. The 
functions fn{-), hn{-) and n(-) are extended to cope with labels as follows: 

bn{xy) = bn{x{y)) = {y} bn{xy) = 6n(r) = 

fn{xy) = {x,y} fn{x{y)) = {x} fn{xy) = {x,y} fn{T) = 

We take into account the early operational semantics for V in |(37, , as shown in Table 
[T] We only omit symmetric rules of Par, Com and Close for simplicity, and we assume 
alpha-conversion to avoid collision of free and bound names. 



Input x{y).P P{z/y} 

Output xy.P P 

p p' p ^ ) p' 

(^y)p p' ^^y)p JU {uy)P' 

pJUp' 

Par bn{fi) n/n(Q) = 

P\Q^P'\Q 



P ^ P', Q ^Q' P^P', Q -^Q' 
Com Close y fn{P) 

P\Q^P'\Q' P\Q^{vy){P'\Q') 



P^P' 

Rep 

IP P' I IP 



Table 1: Early operational semantics for V terms. 
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Definition 2.1. {Weak transitions) Let P and Q he V processes. Then: 

- P ^ Q iff 3 Po, PneV,n>0, s.t. P = Po^ ...^ Pn = Q; 

- P^QiS3Pi,P2Gr s.t. P^P^-tUP2^Q. 

Notation 2.2. For convenience, we write x{y) and xy instead of x{y).0 and xy.O, respec- 
tively. Furthermore, we write P (respectively P to mean that there exists P' such 
that P P' (respectively P =^ P') and we write P =^-^ to mean that there are P' 
and Q such that P ^ P' and P' Q. 



3. Testing semantics 

In this section we briefly summarize the basic definitions behind the testing machinery 
for the TT-calculus. 

Definition 3.1. {Observers) 

- Let uj ^ Af. uj denotes a special action used to report success. By convention fn{u>) = 
bn{uj) = 0. 

- The set O (ranged over by o, o', o", . • •) of observers is defined like V, where the grammar 
is extended with the production P ::= lo.P. 

- The operational semantics of V is extended to O by adding u.P P . 
Definition 3.2. {Experiments) The set of experiments over V is defined as 

S = {{P\o)\ PeP,oeO} 

Definition 3.3. {Maximal Computations) Given P eV and o G O, a maximal computa- 
tion from P I o is either an infinite sequence of the form 

P\o = To^Ti^T2^ ... 

or a finite sequence of the form 

P I o = To ^ Ti ^ . . . ^ r„ . 

We are now ready to define must- and /air-testing semantics. 

Definition 3.4. {Must- and Fair-Testing Semantics) Given a process P e V and an ob- 
server o € C, define: 

- P must a if and only if for every maximal computation from P | a 

P I o = To ^ Ti ^ . . . ^ . . .] 

there exists i > such that Tj 

- P fair a if and only if for every maximal computation from P | a 

P\o = To^Ti^ ...^Ti[-^ ...] 

we have Tj ==^, for every i > 0. 
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4. A LABELED VERSION OF THE TT-CALCULUS 

In order to deal with the notion of fairness of actions [10] , we first need to introduce a 
labehng method. Consider the following term: 

P = a \ \a.a \ a. 

Notice that every maximal computation from P is always of the form 

P ^ P ^ P ^ ... 

However, without labels we would not be able to distinguish fair computations from unfair 
ones, since we do not know which a synchronizes with la.a and makes progress at each step. 
So, we need to be able to refer unambiguously to individual actions and to monitor them 
along any computation. 

4.1. The idea behind the labeling method. A 'reasonable' labeling method, indepen- 
dently from the choice of the labels domain, has to provide unicity (e.g. no label occurs 
more than once in a labeled term), disappearance (e.g. a label disappears only when the 
corresponding action is performed) and persistence (e.g. once a label disappears, it does 
not appear in the computation anymore). 

The labeling method can be more or less informative, in the sense that the degree of 
information about the structure of terms (static information) and about the computation 
history (dynamic information) can vary. For our purpose we find useful to adopt a labeling 
method which is rather informative and keeps separate the static and dynamic aspects. 

Definition 4.1. (Ground Labeled V) We define Vg^. as the language generated by the fol- 
lowing grammar: 

^::=0 I I {ux)E \ E\e\ 

where s G {0, 1}*, n £ N, P £ V and the prefix fi is of the form x{y) or xy. 

Obviously, Vgj. also contains labeled terms in which the labels do not respect the struc- 
ture and/or the execution order. To avoid this problem, we restrict the labeled language to 
those terms which are well-formed. The well-formedness predicate wf{-) (Table |4]), allows 
us to obtain a well-defined labeling method; it is defined by using a binary relation ?R. over 
sets of labels, which checks the absence of label conflicts in the parallel composition, and 
a labeling function L^^ ,^^(-), where s E {0, 1}* and n G N, which allows us to avoid label 
conflicts in the prefix composition. 

First, we define 5R: if Lq and Li are sets of labels, Lq 5R Li holds if and only if for every 
(so, no) € Lq and (si,ni) € Li, the first elements of the labels, sq and si, are not related 
w.r.t. the usual prefix relation between strings. Formally: 

Definition 4.2. 

1. Given two strings sq, si S {0, 1}*, we write sq Q si if and only if so is a prefix of si, i.e. 
si = soa for some a £ {0, 1}*; 

2. Given Lq, Li C ({0, 1}* x N), we write Lq 5RLi if and only if V(so, no) G Lq. V(si, ni) G 
Li. sq 2 si and si ^ sq. 

Remark 4.3. From Definition |4.2[ it follows immediately that 

Lq?R.Li implies V(so, no) G Lq- V(si, ni) G Li. (sq, no) 7^ (si, ni). 
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Then, the labehng function is defined following inductively the V terms oper- 

ational structure. 

Definition 4.4. Let P G P. Define where (s,n) e ({0,1}* x N), as in Tablell 





,n>(0) 


= 


L{s 




= f^{s,n)-L{s,n+l){P) 


L{s 


,n>(^0 Pi) 


= L{sO,n)iPQ) \ L(sl,n){Pl) 


L{s 




= {^x)L(^s,n){P) 






= \s,n)P 



Table 2: Labeling function L^j,,n)(-)- 

We will use the relation in combination with the function top{-), defined in Table |3j 
which gives the top-level label set of a labeled term. In the same table we define also the 
function lab{-), which returns the whole set of labels, and which will be useful later. 



E 


= 0: 


top{E) 


= 


lab{E) 


= 


E 




top{E) 


= {{s,n)} 


lab{E) 


= {{s,n)}Ulab{E') 


E 


= {ux)E': 


top{E) 


= top{E') 


lab{E) 


= lab{E') 


E 


= Eo\Ei: 


top{E) 


= top{Eo) U top{Ei) 


lab{E) 


= lab{Eo) U lab{Ei) 


E 


= l{s,n)P- 


top{E) 


= {{s,n)} 


lab{E) 


= {{s,n)} 



Table 3: Function top{-) and lab{-). 



Remark 4.5. From the definitions in Table [3j we have that 

yE G Vg,.. top{E) C lab{E) 

Finally, Table [4] defines formally the well-formedness predicate wf{-). Note that we use 
3? to check the lack of conflict, between labels in parallel components, at the top-level only. 



This constraint will turn out to be sufficient. In fact, in Lemma A. 6 in the appendix it is 
proved that 

top{Eo) ?fi top{Ei) implies lab{Eo) ^ lab{Ei) . 
Now we are ready to define the set of labeled "P-calculus terms, denoting it by V^. 
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Nil 



Pref 



wf{0) 



Par 



wfjEp), wfjEi), top{E^)^top{Ei 
wf{Eo I El) 



wf{E) Per 
Res Rep 



wf{{ux)E) 



wf{\s,n)P) 



Table 4: Well formed terms. 



Definition 4.6. The labeled "P-calculus, denoted by V^, is the set 

{E E I wf{E)} 

It would be possible to defined well-formed terms without explicitly relying on the la- 
beling function: for example, defining an ordering relation between labels to characterize 
well-formedness of prefixing. However, our aim is to keep separated static and dynamic in- 
formations. More in detail, contains all the well-formed processes of the form 'L^^ „^(P)' 



(Lemma A.4). However, the operational semantics of V^, introduced in the following, does 



not preserve the 'L^5 ,^^(P)' format: for this reason, the 'wf{.) predicate is defined in order 
to ensure the closure of "P^ w.r.t — 

Example 4.7. Consider again the term S = x{y).{{i'z){z(k).0 \ zh.O)) \ a(u).0 of Example 
In the approach of |10| [TT] , the labeling of S would give the term 

x(y)i.((z^z)ii(2;(A;)iiii.0iiiii |iii z/iiii2.0iii2i)) |e a(n)2.02i. 

In our approach, the labeling of S is the term 

2;(y)(o,o>-((i^2;)(z(A;)(oo,i>-0 | ^/i(oi,i).0)) | a(n)(i_o>-0. 



4.2. Some properties of the labeled vr-calculus. The operational semantics of is 
similar to the one in Table [Tj we simply ignore labels in order to derive a transition. 
The only rule that needs attention is the one for processes in the scope of the replication 
operator, since the unfolding generates new parallel processes and we must ensure unicity, 
disappearance and persistence of labels. We use the dynamic labeling described in Table |5} 
is trivially closed w.r.t. renaming, since a renaming does not change labels. It 
follows that the language is closed w.r.t. ^— >. 

Next result states the main properties which make our labeling method 'reasonable': 

Theorem 4.8. Let E gV. 

1. (Unicity) No label (s,n) occurs more than once in E; 

2. (Disappearance) If E E' then 3{s,n) £ lab{E). {s,n) lab{E'); 
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Table 5: Replication Rule in 



3. (Persistence) Mk > 1. Eq Ei E2 
then {s,n) £ lab{Ei) for any i S [l..{k — 1)]. 

Proof. 

(1) By induction on the structure of E. 

- E = 0: then lab(0) = 0. 

- E = then lab{E) 



M2 



Ek, if (s,n) G lab{Eo) f] lab{Ek 



A.4 



{{s,n)} U lab{L^s^j^^i^{P')). By Lemma 

'"'/(-^(s,ri+i>(-f"))) -^(s,n+i>(-f") £ ^-iicl, by induction hypothesis, for every 
{s',n') E lab{Lun+i){P'))i {s',n') does not occur more than once in /a&(i(s,n+i) (-?"))• 
By Lemma A. 3, V(s',n') E lab{L(^g^^j^i\^{P')). s C s' and n + 1 < n'. Hence 



(s,n) lab{L(^s^n+i){P'))- 
E = {Eq\Ei): by definition, Mi G {0, holds, implying Ei G and lab{E) = 

(J^ lab{Ei). By induction hypothesis, for every i G {0, 1} and every {si,ni) £ lab{Ei), 
{si,ni) does not occur more than once in lab{Ei). By Lemma |A.6 top{EQ) ^top{Ei) 
implies lab{Eo) ^lab{Ei), i.e. \/{so,no) £ lab{EQ). \/{si,ni) £ lab{Ei). (so,^^o) / 
Hence, for every i £ {0,1} and every {si,ni) £ lab{Ei), {si^n-i) does not 
occur more than once in lab{E). 

Cases E = {vx)E' and E =\s,n)P can be proved similarly. 



(2) By Remark 4.5 and Lemma A. 8 it suffices to prove that 

E E' implies 3(s,n) £ top{E). {s,n) top{E'). 



In fact, (s,n) £ top{E) implies (s,n) £ lab{E) (by Remark 4.5), and top{E') 

implies (s,n) ^ lab{E') (by Lemma A.8). 

By induction on the depth of E — ^ 
- Rule Input/ Output E = L(^^„)(/i.P) -^U E' = L(s,„+i^(f") (either P' = P or P' = 



P{z/v})- top{L(^,^n){fi.P)) = {{s,n)} and, by Lemma |A.3| on .„+i)(P'), y{r',m') £ 
top{L(^s,n+i){P')) ^ ^'0'K^{s.n+i){P'))- s Q r' and n + 1 < m'. Hence (s,n) G top{E) 
and (s,n) ^ to^3(L(^_„+i)(P')). 

Rule Par. E = {Eq\ Ei) ^ {E'q \ Ei), where 6n(/x) n fn{Ei) = and Eq ^ E'q. By 
induction hypothesis, 3(ro,mo) G top{EQ).{rQ,mo) top^E'^). Since top{EQ)?R.top{Ei) 
holds, then {(ro, mo)}5Rtop(Pi), i.e. (ro,mo) top(Ei). We conclude that (ro,mo) 
top(P^ I Pi). 

Pu/e Com: P = (Po | ^1) ^ (P^ | P^), where Pq ^ Pq and Pi ^ Pj. 
By induction hypothesis, 3(ro,mo) G top(Po). (ro,mo) top^E'^) and 3(ri,mi) G 
M^i). (ri,mi) M-^D- 

Consider (ro,mo) (case (ri,mi) is symmetric). Since wf{EQ \ Pi), then we have 
topiyEo) top{Ei). This implies {(ro, mo)}3f?top(Pi). 
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By item (3) of Lemma 
r' C r\ and m! < 



A.5 



(3) 



_on El ^ E[, y{r[,m[) G top{E[). 3{r',m') G top{Ei). 
_ ^ _ ^ By Lemma A. 2 it follows that {(^'Oi^n-o)} ^ top{E'^^ and 

therefore (ro,mo) top{E[). We can conclude that (ro,mo) € top{EQ \ Ei) and 
(ro, mo) U to;^(SO = top{E'o \ E[). 

- Rule Open/Res/Close/Rep: These cases can be proved similarly. 
In [TT] (Lemma 8.8), the analogous property is only proved for k = 2. However, the 
general case cannot be obtained by induction, since the reasoning for the case k = 2 
does not contain the essential elements to prove the inductive step. Differently from 
[TT] . we prove the property in the general case. We proceed as follows. 

By contradiction, let i E [l..(k — 1)] be the least index such that (s,n) lah{Ei) and 
let j £ [{i + l)..k] be the least index such that {s, n) G lab{Ej). By the minimality of i, 
we can apply Lemma A. 7 and we obtain that (s, n) G top(Ei^i). By item (2) of Lemma 
A.5 on Ej, 3{rj,mj) G top{Ej). rj C s and rrij < 



n. 



By item (3) of Lemma A.5 

) G top{Ec). Tc E rc+i 
s and mj_i < n. 



on 



and nic < rUc+i- 



■j, 3{rj,mj) G top{Ej). rj □ 

Ec Ec+i for any c G -I)], 3{rc,m. 

It follows that 3(rj_i, mj„i) G top{Ei-i). rj_i C 

- In the case (rj_i, mi_i) and (s, n) are distinct labels: we contradict item (1) of Lemma 

\EM 

- In the case (rj_i,mj_i) = {s,n): 
top{Ec). s E Tc C s and n < 
{s,n) lab{Ec). 



it follows that Vc G ((i - 
< n, i.e. s = and n 



1 



- 1)]. 3{rc,mc) G 
TTic, contradicting that 
□ 



Remark 4.9. The disappearance property states that a label disappears when the cor- 
responding action is performed. On the other hand, the persistence ensures a complete 
disappearance of a label, once the corresponding action is performed. In fact, it is clear 
that for Eq Ei ... E^ with (s,n) G lab{Eo) n lab{Ei^) the existance of some 
/i G [!..(/;: — 1)] satisfying (s, n) lab{Eh) would contradict item (3). 



As expected, the labeled language is a conservative extension of the unlabeled one. To 
prove the statement, we have to formally define the V process that is obtained by deleting 
all the labels appearing within a labeled term. 

Definition 4.10. Let E G "P^. Define Unl{E) as the V process obtained by removing all 
the labels in E. It can be defined by induction as in Table [6j 



C/n/(0) 


= 


Unl{fi(^,^^yE) 


= n.Unl{E) 


Unl{Eo 1 ^i) 


= Unl{Eo) 1 Unl{Ei) 


Unl{{ux)E) 


= {vx)Unl{E) 




= IP 



Table 6: Function Unl{-). 
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The conservative property of the labeled extension is expressed by the following lemma, 
which can be proved by induction on the depth of E — ^ E' (item (1)) and Unl{E) P' 
(item (2)). 

Proposition 4.11. Let E E V. 

1. E ^ E' implies Unl{E) Unl{E'); 

2. Unl[E) P' implies 3E' gV". E ^ E' and Unl{E') = P' . □ 

5. Strong and weak fairness of actions 

The labeling method proposed in the previous section can be extended in a natural way 
over the observers, adding B ::= uj.B in the grammar of Vg^., co.o o in the operational 
semantics and extending the functions L(^g^n)i top{-), lah{-), Unl{-) and the predicate w/(-) 
as shown in Table [7} No label is associated to lj since we do not need to distinguish uj 
occurrence£l 



{Li^s,n)/Unl) 




= Unl{L(^s.n){uj.o)) 


= U}.0 


(top/lab) 


topioj.o) 


= lab{uj.o) 


= 




u.o G O 
wf{uj.o) 







Table 7: Labeling method extension over observers. 

In the following, (ranged over by /o, p', ..) denotes the set of labeled observers and 
£^ denotes the set of labeled experiments over V^, as expected. 

The definition of live label is crucial in the notion of fairness. Given a labeled experiment 
S G a live label is a label associated to a top-level action which can immediately be 
performed, i.e. an input/output prefix able to synchronize. Table [s] defines the live labels 
of a labeled experiment S € S*^, according to the labeling method proposed in Section |4j 
Informally, Table |8] is a rephrasing of operational rules: even if live labels cannot be directly 
defined in term of transitions, deductions of live predicate mime the proof for a derivation. 
As a consequence, uj is not live, since a complementary action (jj) does not exist. Given a 
labeled experiment S, the set of S live labels is denoted by Ll{S). 

Definition 5.1. Let S G ^:^ let (s,n) G ({0,1}* x N). 

Ll{S) = {{s, n) G ({0, 1}* X N) | live{{s, n),T, S)} 

is the set of live labels associated to initial — ^ from S. 

If S^-^, then Ll{S) = 0. Since top{S) is defined as the set of labels appearing at the 
top of S, it follows immediately by the definition of live actions that Ll{S) C top{S). For 
simplicity, labels will be denoted in the following by w, f i, f2, . . . G ({0, 1}* x N). 



'E — > whenever an arbitrary occurrence of u) is at the top level in E. 
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Input 



live{{s,n) , xz, x{y) i^s^n)-S) 



Output 



live{{s,n),xz,xZ(^s^nyS) 



Res 



live{{s,n),fi,S) y ^ n{fj,) 
live{{s,n),ii,{vy)S) 



live{{s,n),xy,S) x^y 
Open Rep 

live{{s,n),x{y),{uy)S) 



1^ . Q' 



live{{s,n),n,[(^s^n)S) 



Par 



Com 



live{{s,n),fj,,SQ) bn{fi) fl fn{Si) = 
live{{s,n),fx, {So \ Si)) 

live{{s, n),xy, Sq), live{{r, m),xy, Si) 
live{{s,n) ,t,So\ Si), live{{r,m) ,t,So\ Si) 



Close 



live{{s,n),xy,So), live{{r,m),x{y), Si), y ^ fn{So) 
live{{s,n) ,T,{uy){SQ \ Si)), live{{r,m) ,T,{uy){So \ Si)) 



Table 8: Live labels. 



We can now formally define the strong and weak notions of fairness. Intuitively, a 
weak-fair computation is a maximal computation such that no label becomes live and then 
stays live forever. 

Definition 5.2. {Weak-fair Computations) Given S e S^, a weak-fair computation from S 
is a maximal computation, 

S = So — > Si — > S2 — > ■ ■ ■ — > Si [ — > . . .] 
where G ({0, 1}* x N). Vi > 0. 3j >i.v^ Ll{Sj). 

A strong-fair computation is a maximal computation such that no label is live infinitely 
often. Formally, strong fairness imposes that for every label there is some point beyond 
which it is never live. 

Definition 5.3. {Strong-fair Computations) Given S € S"^, a strong-fair computation from 
5 is a maximal computation, 

S = So ^ Si ^ S2 ^ . . . ^ Si[^ . . .] 

where G ({0, 1}* x N). 3i > 0. Vj >i. Ll{Sj). 



16 



D. CACCIAGRANO, F. CORRADINI, AND C. PALAMIDESSI 



Note that every finite computation is strong-fair (resp. weak-fair), because there is no 
transition from the end state, which implies that there are no live labels. 
Some useful results follow: 

Theorem 5.4. V5 G 

1. there is always a strong-fair computation from S, and 

2. every strong-fair computation from S is weak-fair, but not vice versa. 

Proof. 

(1) We apply items of Lemma C.l If S" -/^, then the empty computation is strong-fair, 
since Ll(S) = 0. Otherwise, there is a maximal computation C 

S = So ^ Sl ^ .. ^ ^ Si Si ^ .. ^ 5i"i -^S2^...] 

where Vi > 0. Ll{Si) n Ll{Si+i) = and Vj > i. Ll{Si) n Ll{Sj) = 0. Suppose, by 
contradiction, that C is not strong-fair, then there exists a label v such that Vi > 0. 
3j > i. V E Ll{S), where either S = Sj or S = Sj, contradicting the hypothesis on C. 

(2) The positive result is trivial: by definition, a strong-fair computation is a special case 
of weak-fair computation. To prove the negative result, let S = E \ p, where E = 
lyoa I (i^6)(6^o I \yob,(a \ b)) and p = ay^.uj: it is not difficult to check that there exists 
a maximal computation from S, along which a^^ is never performed. The maximal 
computation C we consider is the following one (we omit term by convenience): 

TTil CI ^ CI ^ CI ^ CI 

±!/ I /3 — Do > Jl > 02 ^ • • • ^ 

where Vj > 0. Q{v2,v^^) = {h'b){b^j \ a \ b)) and 

a^i I Q{vl,vl) I a^^.cj Si =!^«a | Q{v. 



So =!^oa 
=!^oa 
52 =!^2a 
5*3 =!„2a 
5*4 =!,,4a 



2 ^) I "-vi-^^ 
Q{vl,vl) I a^^.uj Si+i =!„«a | a^+i | (9(w2"*"\ ^3+^) 

,3 ,,3\ 



3 I Q2{v2,vl) I av^.uj Si+2 =!„j+2 a \ Q{v2~^^ ,vl~^^) \ a^^.uj 

Q{v^,v^)\a^^.uj 



Notice that, in C, we have V4 Ll(So),V4 £ LI[Si),va Ll{S2),V4 £ Ll{S3), . . . ,V4 
Ll{Si),V4 £ Ll{Si+i),V4 Ll{Si+2), ■ ■ ■ and so on. Moreover for every v G Ll{Sj), 
where v 7^ V4, there exists k > j such that f Ll{Sk). I.e., C is weak-fair but it is not 
strong-fair. □ 



6. Comparing 'fair'-testing semantics 

In this section we consider the addition of the requirement of fairness in the definition of 
the mwst-testing and investigate the resulting semantic relations. In particular, we compare 
the different notions of fairness (the notions we introduce and the existing notion of /air- 
testing semantics), and the mwst-testing semantics. 

Let us start by observing that P must implies P fair o, but not vice versa: it suffices 
to consider the process P = {i'b)(b \ Ib.b) \ a and the observer o = a.uj. 

Now, we define our notions of 'fair' must-testing. 
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Definition 6.1. {Strong /Weak- fair Must Semantics) Let E £ and p G O^. Define 
E sfmust p {E wfmustp) if and only for every strong-fair (respectively, weak-fair) compu- 
tation from {E I p) 

E\p = So^Si^...^Si[^...] 
there exists some i > such that Si 

The following result states the relation between weak-fair must-testing and strong-fair 
must-testing. It is the case that weak-fair must-testing implies strong-fair must-testing, but 
not vice versa. In fact, any strong-fair computation is also weak-fair. To prove the negative 
result, we consider an experiment with weak-fair computation in which the label prefixing 
Lu becomes live, loses its liveness, becomes live again, etc., without being performed: this 
computation is weak-fair by definition and unsuccessful. Notice that this label should be 
always performed in a strong-fair computation, determining the success of it. 

Proposition 6.2. \/E e T"". \/p G O^. 

E wfmust p implies E sfmust p, hut not vice versa. 

Proof. For the positive part, suppose, by contradiction, that there exists a strong-fair com- 
putation C 

E\p = S^^Si^ ...^Si[-^ ..] 

such that \/i > 0. Si Since a strong-fair computation is weak-fair too, then C is weak- 
fair. It follows that E wf/nust p, thus contradicting the hypothesis. 

We now prove the negative result. Consider again E =!^oa | Q{v2,v^) and p = a^j^.to, 

where Q{vl,vl) = {yb)(h^o^ \Koh-{(^ I ^))- 

Notice that the computation proposed in the proof of item (2) of Theorem |5.4[ where 
U4 /l Ll{So),V4, G Ll{Si),Vi Ll{S2), e Ll{S'/j, ..,Vi Ll{Sj),Vi G Ll{Sj+i), 
L/(5j+2) etc., is unsuccessful: in fact, loses its liveness even if a^^ is not performed. In 
such a case Vj > 0. Sj /^. It follows that E wf/nust p. 

To prove that E sfmust p holds, it suffices to notice that for every j > and every 
v{,v{ e ({0,1}* X N), 

(1) Q(t'^,^) — — > CL^]+i I Q2(i'2^^, "^3^^), i-e. Q{vi^,v^^) can perform infinite sequences; 

(2) for every T E every — ^ from ((5(^2, V'!/) \ T) does not follow from a synchronization 
(either Rule Com or Close) between Q{y2-,v-!/} and T; 

(3) for every maximal computation C' from E \ p 

E\p = So^Si^ ...^Si[-^ 

there always exists 

Si =\^oa I a^i I Q{vl,vl) I a„4.u;. 

(4) Vi Ll{So), f4 € Ll{Si) and £ Ll{Sj^i) whenever there exists k > {j + 1) such that 
a^k is a top-level parallel component of Sj+i. 

By definition of Q{v2,v^), there exist infinitely many indexes k such that a^k is a top-level 
parallel component of Sj+i; it follows that can be live infinitely often. But this is not 
possible if C is a strong-fair computation: in fact, by definition, will lose its liveness 
forever, i.e. ay^ will be performed. In such a case there will be z > 2 in C such that 
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Proposition 6.3 shows the relation between strong-fair must- (respectively, weak-fair 
must-) testing semantics and must-tesi'mg. 

Proposition 6.3. \/E G \/p G 

1. Unl{E) mustUnl(p) implies E wfmust p, hut not vice versa; 

2. Unl{E) mustUnl{p) implies E sfmust p, hut not vice versa. 

Proof. 

(1) For the positive part, suppose there is a weak- fair computation from E \ p 

E\p = So^Si^ ...^Si[-^ ...\ 

such that Vi > 0. S'j Then there exists the following maximal computation 

Unl[E I p) = Unl{So) ^ Unl{Si) ^ ...^ Unl{S^) . . . ] 

where Vz > 0. Unl{Si) i.e. Unl{E)m/astUnl{p). 

We now prove the negative part. Let E = (z/6)(6^o | !^o6.6) | 0^3 and p = 0^4.0;, we 
have Unl{E) rry{istUnl{p). However, in every w;eaA;-/azr computation from E \ p 

E \ p = So — > Si — > . . . — > Si — > . . . 
there must exist j > such that Sj+i = | l^jb.b) \ uj and Vi G [0..j]. Si = 

{i'b){b^i I l^ib.b) I | 0^,4.0;. It follows by the fact that Vi G [0..j]. V4 G Ll{Si) and there 
must exist k > i (A; = j + 1) such that t>4 Ll{Sk). It is possible only in the case a^^.u) 
synchronizes with a^^ in Sk-i = {i'b){b^k \ l^kb.b) \ 0^3 | 0^4.0;. 



(2) Immediate consequence of item (1) and Proposition 6.2 □ 



7. Fair-testing and 'fair'-testing semantics 

In [35] it is shown that /air-testing semantics on finite state systems corresponds to 
some (strong) notion of fairness. However, this result does not hold in general. We will 
show that strong-fair must-tesi'mg (and hence weak-fair must-testing) does not suffice to 
characterize /air-testing. 

The reason behind the negative result relies on the fact that we can construct a term for 
which there exist experiments being successful under /air-testing and performing maximal 
unsuccessful computations which are strong fair. 

Theorem 7.1. ^E G V. Vp G 

1. E sfmust p implies Unl{E) fairUnl{p), hut not vice versa; 

2. E wfmust p implies Unl{E) fairUnl{p), hut not vice versa. 

Proof. 

(1) For the positive result, suppose, by contradiction, there exists a maximal computation 
from Unl{E) \ Unl{p) 

Unl{E) I Unl{p) = ^ Ti ^ . . . ^ Ti[^ . . .] 

and there exists i > such that Ti i.e. for each T' such that Ti =^ T', we have 
T' 7^. It follows that for every maximal computation from Tj of the form 
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Tj 7^ for every j. Since uj cannot synchronize, it does not disappear once it is at 

the top level of a term. It implies that Vj G [0..{i — 1)]. Tj Now, consider the 

computation 

E \ p = So ^ Si ^ . . . ^ Si [-^ ...] 
where for every A; > we have = Unl{Sk)- Then there exists i > such that Si 
i.e. for each S' such that Si ==^ S", we have S' It follows that for any maximal 
computation from Si 



>~>i — '-'0 ^ '-'1 



S'j 7^ for every j. Hence for every strong-fair computation from Si (which always 
exists, by Theorem 5.4) 



•~>i — '-'0 ^ '-'1 



S', 7^ for every j. It follows that, given a strong-fair computation from Si 



where 5" 



S, = S'^^S'{^...^S][^...] 
for every j, the following maximal computation 



E\p = So 



S^ 



Si — Sn 



s\' 



s'' [^...] 



is strong-fair (by Lemma C.2), and VA; G [0..(i — 1)]. 5"^ 7^, and Vj > 0. 5" 7^. It 
follows that E sfjfnust p, contradicting the hypothesis. 

We now prove the negative part. As explained before, it suffices to consider E = 
c^o I !j,oc.((z^6)(6 I b.c I b.a)) and p = a^^.uj. Clearly, Unl[E) fair Unl{p), but there exists 
the following maximal computation 

E\p = c^o 
(i/fe)(Li I b^i.c^i I ^i.a^i) 



{ub){b^i.a^i 



„oc.((z^6)(6 I b.c I b.a)) \ ay^.uj 
„ic.((z^6)(6 I b.c I b.a)) \ av^.i^ 
„ic.((z^6)(6 I b.c I b.a)) \ a^^.uj 



ie[i..fc] 



I !,,fcC.((z/6)(6 I b.c I b.a)) \ a^^.uj 



where no term has oj enabled. Notice that oj is always prefixed in 0^3. w and ^3 is always 
disabled since every occurrence of a„i is prefixed in a deadlock term [vb){b^t^.a^i). Hence 
this computation is strong-fair. 
(2) The positive part is an immediate consequence of item (1) and Proposition |6.2| As 
for the negative part, observe that the counterexample in the proof of item (1) is a 
counterexample here too, because the computation considered is also weak-fair. O 
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Previous result establishes that the notion of weak- and strong-fair must-testing differ from 
the notion of /air-testing in literature. A natural question is, then, which notion is more 
suitable than the other in given situations. As shown by the counterexample in the proof 
of previous theorem, the difference is with respect to computations that are fair but unsuc- 
cessful, and they offer at every state the possibility of being successful. These computations 
are considered acceptable by the notion of /air-testing, but not by our notion, and in our 
opinion, they should not be. 

Example 7.2. We illustrate the difference with the well-known example of the dining 
philosophers. We can specify the system in our language in the following way. The system, 
DP, is composed by three forks /o, /i, /2 and three philosophers Po,Pi,P2, in parallel: 

DP /O I Pol A I Pi 1/2 1^2 

Each philosopher replicates the following activity: first, he chooses whether to start with 
the left fork (if available) or with the right fork (if available). For the choice we use the 
input-guarded choice construct, represented here by the operator -|-. It is well-known that 
this kind of choice can be expressed in the asynchronous vr-calculus, and therefore also in 
the language that we consider here, by a translation that preserves must semantics |28j . 

Pi =1 {Li + Ri) 

Under the left choice the philosopher takes the left fork, then chooses whether to take the 
right fork (if available) or to give up. In the first case, he takes the fork, eats, and then 
releases both forks. In the second case, he releases the left fork. This behavior can be 
represented as follows (where © denotes summation modulo 3): 

Li'^= fi.{fi(Si-eat.{fi\ fi+i) -\- T.fi) 
The behavior under the right choice is analogous: 

Ri /jei-(/i-eat.(/i©i \ h) + t ./i©i) 
Let us consider the observer which detects whether one philosopher succeeds to eat: 

def 

o = eat . uj 

We can see that 

DP fair o 

In fact, in every computation either a philosopher succeeds in taking both forks, and in 
that case he eats and the observer is satisfied, or there is always the possibility that one 
fork becomes available and can be taken by a philosopher who has already another fork. 
On the other hand, the computation in which each philosopher in turn takes the right fork, 
releases it, then take the second fork, releases it, then take the right fork . . . etc. is strongly 
fair, and unsuccessful. Hence we have 

DP sf/nust o 

The answer given by our semantics is consistent with the view in Distributed Com- 
puting, where fairness and progress (a generalization of success - in this case, the fact that 
someone will eventually eat) are distinct concepts, and the Dining Cryptographers are con- 
sidered an example of the fact that the first (fairness) does not imply the latter (progress). 
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The difference between /air-testing and both weak- and strong-fair must-testing rehes 
on the fact that the former is based on properties of the transition tree and the latter are 
based on the notion of fairness. 

We will prove in fact that no notion based only on the transition tree can characterize 
strong-fair must- and weak-fair musi-testing. To this purpose, let us recall the definition of 
(strong) bisimulation. 

Definition 7.3. (Bisimulation) A bisimulation is a binary relation TZ satisfying the follow- 
ing: PTZQ implies that: 

1. P ^ P' then 3Q' -.Q ^ Q' AP'TZ Q'; 

2. Q^Q' then 3P' -P ^P' hP'TZ Q' . 

Bisimilarity ^ is the largest bisimulation TZ such that PTZQ. 

We recall that bisimilarity is a congruence. 

We now prove that sfmust and wfmust cannot be characterized by a notion that, like 
/a«r-testing, relies on the transition tree only. 

Theorem 7.4. 3E, F G T"^. Unl{E) ~ Unl{F) but E 96^^^ F, where sat G Sfmust, sfmus^. 
Proof. Let 

E = (i^c)(c^o I !^oc.(c| a)) I (z^c)(c^o | !^oc.c) 

and 

F =!^o((^^^)(5 I b I h.a)) \ {vc){c^o \ !^oc.c). 
E and F are neither sfmust nor wfmust equivalent, since the observer p = a.f,^.(jj distinguishes 
E and F w.r.t. both sfmust and wfmust . In fact, every strong-fair (respectively, weak- 
fair) computation from E \ p forces the synchronization between c^o and l^,oc.(c \ a), i.e. 

the transition {i'c){c^q \ !^oc.(c | a)) — ^ a^i \ {i>c)(c^^,i \ !,^^,ic.(c | a)) and it also forces the 
execution of a^i (or equivalently of for some i > 1 such that {uc){c^i-i | \^i-ic.{c\a)) 
I {^^){^w^-^ I I ^)) occurred in the computation). 

It follows that there exists a transition in which avg is performed, implying that there 
exists a term which has u enabled. 

This is not the case of the following strong-fair (and weak-fair) computation from F \ p: 



F\p = 
(z/6)(6„i.a^i) I 
(z/6)(6„i.a 1) I (z/6)(6„2.a^2) | 



yo{{ub){b I b I b.a)) \ (z^c)(c^o | l^oc.c) | 0^3 .a; 
^i((z/6)(6 I b I b.a)) \ (z^c)(c^i | l^ic.c) \ a^^.u 
^2{{i^b){b I b I b.a)) \ (z^c)(c^2 | !^2C.c) | 0^3.0; 



n I ■v^ii''b)ib I ^1 b.a)) I (z^c)(c^fe I l^kc.c) \ a^^.u 

ie[i..k\ 



where there are no terms with u enabled. Notice that uj is always prefixed in Qv-^.^jJ and 0^3 
is always disabled since every occurrence of a,^i is prefixed in a deadlock term (i/5)(5^i .a„i ). 

However Unl{E) ~ Unl{F), implying that {Unl{E) | Unl{p)) - {Unl{F) | Unl{p)), for 
any observer p. □ 
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8. Conclusion and future work 

We have designed a labeled version of the vr-calculus, we have defined weak and strong 
fairness, and we have introduced the natural (weak and strong) fair versions of testing 
semantics. We have compared the various notions and proved that neither weak nor strong 
fairness correspond to /air-testing, and we have investigated the reason of this failure. 

Our results are quite general, since they also hold for CCS, for the asynchronous vr- 
calculus [3 (it is easy to see that all proofs can be adapted immediately to these other 
calculi), to a 7r-calculus with choice operator (as explained in the introduction), and they 
do not depend on the labeling method (i.e. they hold for any labeling method for which 
unicity, disappearance and persistence hold). 

As a future work, we plan to investigate on the existence of alternative characterizations 
of the fairness notions, allowing simple and finite representations of fair computations such 
as the use of regular expressions as in [8, ^ . It is also interesting to investigate the impact 
that these different notions of fairness may have on the encodings from the vr-calculus into 
the asynchronous vr-calculus |7j. 

Another line of research that seems worth exploring is the the adaptation in our frame- 
work of the fairness notions of [18] . As we have mentioned in the introduction, it is possible 
to represent several forms of choice in the choiceless vr-calculus using the parallel operator, 
and it would be interesting to see how the fairness notions of [18] relative to the choice 
operator get translated in our formalism. 
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Appendix A. A labeled version of the tt-calculus 

This appendix section contains intermediate results and proofs of the statements omit- 
ted in Section |4| Several proofs follow the same lines as the corresponding results in [11] . 

Lemma A.l. Let tq, ri, s G {0, 1}*. rQ Q s and ri C s. Then either tq !^ n or ri C tq. 
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Proof. For i £ {0, 1}, C s implies s = riOi for some G {0, 1}*. Then roOo = s = riai. 
Let |rj| the length of rj. If |ro| < |ri|, then ro !^ ri. Otherwise, ri C rg. D 

Lemma A. 2. Let (ro, ?no)> {'''i^^i) , {f^-, ^'q)-, {f'l-, ^i) £ ({0, 1}* x N). tq E r^, ri C r[ and 
{{ro,mo)}R{{n,mi)}. Then {{r'Q,m'Q)}^{{r[,m[)}. 

Proof. For i G {0,1}, rj C implies r'- = r^ai for some G {0,1}*. By contradiction, 
suppose Tq C (the other case is similar). Then roao E rioi. Let |rj| the length of r^. 
In the case |ro| < |ri|, then ro E ri, contradicting {(ro, mo)}3f?{(ri, mi)}. In the case 
< |ro|, then ri C ro, contradicting again {(ro, mo)}3ft{(ri, mi)}. □ 

Lemma A. 3. Let E = L^r^^(P), for some P ^V. \/{s,n) G lah{E). r C s and m <n. 

Proof. By induction on the structure of P. 

- E = 0: then lab{0) = 0; 

- E = L^j..^^{fi.P): then lab{E) = {(r, m)} U lab{L(^r „^j_i^{P)). 

- E = l'(,,^)(Po I A): /a6(L(,,^)(Po I A)) = lab{Li^rO,m){Po)) U lab{L^^,^^^^{Pi)). By 
induction, V(so,'T'o) £ ^'2&(-^>(r0,m)(-fb))- r C rO E so and m < no. Analogously, 
V(si,ni) G lab[L(^^i „^^[Pi)). r E rl E si and m < ni. 

- £; =!(^_^)P: then lab{E) = {(r,m)}. 

- Case E = L(^^^^^[{i>x)P) can be proved similarly. □ 
Lemma A.4. VP G P. V(r,m) G ({0,1}* x N). wf{L(^r,m)iP))- 

Proof. By induction on the structure of P. 

- P = 0,fj,.P', IP': these cases are trivial. 

- P = Po I Pi: then L(^„,)(Po | Pi) = L(,,o,„)(Po) | L(ri^„)(Pi) and by Lemma [A3| on 
top(-L^rj „j^(Pj)) we have that V(sj, nj) G top{L(^ri,m.)iPi))- E and m < Ui {i £ |0, 1}). 
Hence top(L(^o,m)(-Po)) top(L(^i^„)(Pi)). 

- P = (i/x)P': L(,,^)(P) = {ux)L(^r,m){P'), where wf {Li^^^^){P')). Hence wf{L(^r,m){P))- □ 

Lemma A. 5. Let E' G P". 

1. For any distinct {r,m) , {r' ,m') G top{E). {(r, m)}5R{(r', m')}; 

2. y{s,n) G lab{E). 3{r,m) G top{E). r E s and m < n. 

Let E' G Pg*;.. E E'. Then: 

3. y{r',m') G top{E'). 3{r,m) G top{E). r Q r' and m < m'; 

4. E' G P^ 

Proo/. 

(1) By induction on the structure of i?. 

- = 0: top(O) = 0. 

- E = P(s,„)(^.P): then top(E) = {(s,n)}. 

- E = {Eq I £^1): since wf{Eo \ Ei) then top{EQ)'Rtop{Ei) . Moreover, by induc- 
tion hypothesis, V(ro, mo), (rg, m'g) G top{Eo). {(ro, mo)}5?{(rQ, m'g)} and, similarly, 
V(ri,mi), (r'i,m'i) £ top{Ei). {(ri, mi)}5R{(r'i, m'^)}. 

- Case E = {vx)E': it can be proved similarly. 

- E P: then top{E) = {{s,n)}. 

(2) By induction on the structure of E. 

- E = 0: top{0) = and lab{0) = 0. 
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- E = L^^ „^(/i.P): then top(E) = {{s,n)}. By Lemma A. 3 on L^^ „^(;U.P), V(s',n') G 
lab{L(^g n){^J'■P))■ s Q s' and n < n'. 

- E = {Eq I Si): By induction, V(so,rao) G lab^Eo). 3(ro,mo) G top{Eo). tq !^ sq and 
w-o ^ Analogously V(si, ni) G Za6(£'i). 3(ri, mi) G top{Ei). ri C si and mi < rii. 
It follows that V(s',n') G Za6(So | = lab{Eo) U lab{Ei). 3{r',m') G toj9(£;o I ^i) = 
top{Eo) U top{Ei). r' □ s' and m' < n'. 

- Case E = {vx)E': it can be proved similarly. 

- E =\(^s,n)P- then top{E) = {(s,n)} = lab{E). 
By induction on the depth of E — ^ P'. 

Rule Input/ Output: E = L(^,^^){^l.P) E' = L(,^„+i)(P') (either P' = P or P' 



P{z/y}). Then top{L(^g ,^^{ix.P)) = {(s,n)}. By Lemma A. 3 on L^g„^i^(P'), we have 
that \/{r',m') G iop(L(,,_„+i)(P')) ^ ^aK^(s,n+i>(^'))- s E r' and n + 1 < m'. It 
follows that y{r',m') G top{L(^g n+i){P'))- s ^ r' and n < in'. 

Rule Par. E = {Eq \ Ei) ^ {E'^ \ Ei) , where bn{n) n /n(Si) = and Eq ^ E'q. 
Since wf{EQ \ Ei), then top{EQ) 3? top{Ei). By induction, Pq -E'o i™plies that 
V(ro, m'o) G top^E'o). 3(ro, mo) G top^Eo). vq C Tq and mo < m'g. Since top{EQ \ Ei) = 
top{Eo) U to;)(£^i) and top^E'^ \ Ei) = top{EQ) U top{Ei), then V(r', m') G top(Po | E^i). 
either 3(ro,mo) G top^Eo). tq C r' and mo < m! (in the case {r',m') G top^E'o)) or 
3(ri,mi) G top{Ei). ri = r' and mi = m' (in the case {r',m') G top{Ei)). 

Rule Com: E = {Eq \ Ei) {E'q\ E[), where Eq E'q and Ei ^ E[. By 
induction hypothesis, V(rQ,mo) G top{EQ). 3(ro,mo) G top^Eo). C Tq and mo < 
mQ. Analogously, \/{r[,m'i) G top{E[). 3(ri,mi) G top{Ei). ri C r'^ and mi < m^ 
Since to|9(So | Ei) = top{Eo) U top(£;i) and top^E^ \ E[) = top{EQ) U top{E[), then 
V(r',m') G top{EQ \ E[) either 3(ro,mo) G top{EQ). vq C r' and mo < m' (in the 
case {r',m') G top{EQ)) or 3(ri,mi) G top{Ei). ri C r' and mi < m' (in the case 
(r',m') G M^i))- 

i?it/e Open/Res/ Close: These cases can be proved similarly. 

Rule Rep: \i^s,n)P ^(sO,n+i>(-P) I \si,n+i)P- Then we have top(!(s,„)P) = {(s, ri)} 
and top(-^^(sO,n+i>(^)|!(si,n+i)-P) = iop(L(^o,n+i>(-P))U{(sl, n+1)}. By Lemma [ATs) on 



^(sO,n+i>(-P)' we have that y{r',m') G top(L(^o,n+i>(^')) ^ ^a&(-^^(sO,n+i>(^))- sO □ r' 
and n + 1 < m'. It follows that {s, n) is such that s 1^ si and n < n + 1, as well as 
s C sO !^ r' and n < n + 1 < m' for any (r', m') G top(L^go,n+i)(-P))- 
We prove that wf{E') holds, by induction on the depth of E — ^ E' . 

Rule Input/Output: E = L(^^„)(;ti.P) E' = L(,^„+i)(P') (either P' = P or P' = 



P{z/y}). By Lemma [Alj w;/(L(,,„+i)(P')). 
Rule Par. E = {Eq \ Ei) ^ {E'q \ Ei) , where 6n(^) n /n(Si) = and Eq ^ E'q. 
Since wf{EQ \ Ei), then top{EQ) ?R. top(Ei). By induction, £^0 P'o implies that 
wf{E'Q). By item (3) and Lemma [X2| top{EQ) top(£;i) implies top(£;^) 3f? top{Ei). 
Hence w;/(£;^ | £^1). 

itluk Com: S = (Pol ^1) ^ (^0 1-^1) ' where Po ^ -Eq and Pi ^ P^. By induction 
hypothesis, Pq — > E'q implies that ?/;/(Pq); analogously. Pi — > Pj implies that 
^^/(P;). By item (3) and Lemma [X2| top{Eo) 3? io^3(Pi) implies top(P^) 3f? top{E'^). 
Hence w;/(P^ | PJ). 

i?it/e Open/ Res /Close: These cases can be proved similarly. 
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Rule Rep: It suffices to recall that top{LuQ^n+i){P'V-{si,n+i)P') = {{s^i'n + 1)} U 



top{L(^sO,n+i){P')) and to apply Lemma |AJ3| on L(30,n+i>(^')- □ 
Lemma A.6. Let Eq,Ei £ top{Eo) top{Ei) implies lab{Eo) ^lab{Ei). 



Proof. By item (2) of Lemma A.5[ \/i G {0,1}. \/{si,ni) G lab{Ei). 3{ri,'mi) G top{E., 



ri C Si and rrii < Ui. top{Eo) K top{Ei) and Lemma |A.2 imply V(so,reo) G lab{Eo). 



V(si,ni) G /a6(Si). {(sq, no)}3f?{(si, m)}, i.e. lab{Eo) ^ lab{Ei) . □ 

Lemma A. 7. Let ^V. E E' . Let {s,n) G lab{E) and {s,n) ^ lab{E'). Then 

(s, n) G top{E). 

Proof. By induction on the depth of E — ^ i?'. 

- Rule Input/ Output: E = Li^^i ^n'){l^-P) E' = I^{s' ,n'+i){P') (where either P' = P or 
P' = P{z/y]). Then top{E) = {{s',n')} and lab{E) = lab{E') U {(s',n')}. It follows that 
s = s',n = n' , and therefore (s,n) G top{E). 

- Rule Par. E = {Eq\Ei) (S^l^i) and Eq E'q. Since /a6(So|^i) = lab{Eo)Ulab{Ei) 
and lab{E'Q \ Ei) = lab{E'Q) U lab{Ei), we have (s,n) lab{EQ), {s,n) lab{Ei), and 
therefore (s,n) G lab^Eo). By induction, (s,n) G top^Eo) and therefore (s, n) G top{Eo) U 
top(^i) = to|9(^o I -El) = top(^). 

- i?u/e Com: ^ = (^o I ^i) ^ (^o I ^i), where ^ K and ^ Since 
lab{Eo I = labiyEo) U lab{Ei), we have that either (s,n) G lab(EQ) or (s,n) G lab{Ei). 
Let us consider the ffist case (the other one is analogous). Since lab{EQ \E'^) = lab^E'^) U 
lab{E[), we have that (s, n) lab{EQ). The rest is the same as in the case of Par. 

- Rules Open/Res: Immediate, by induction. 

- Rule Close: Similar to the case of Com. 

- Rule Rep: Trivial, since E =\s',n')P and lab(\(^gi ni)P) = {{s^n')} = top{l (^g/ ^n') P) . □ 

Lemma A. 8. Let E,E' G E E' and {r,m) G top{E). {r,m) G lab{E') implies 
(r, m) G top{E'). 

Proof. Let {r,m) G top{E) n lab(E') and suppose, by contradiction, that {r,m) top(E'). 



By item (2) of Lemma A. 5 3(r', m') G top{E'). r' Q r and m' < m. By item (3) of Lemma 
A. 5 3{r",m") G top{E). r" IZ r' C r and m" < ml < m. It follows that 3{r,m), {r",m") G 
top{E) such that r" C r and m" < m. Note also that the pairs {r,m) , {r' ,m') must be 
different and therefore also {r,m), {r",m") are different. Thus we get a contradiction with 



item (1) of Lemma A. 5, D 



Appendix B. Must- and fair-testing semantics 

This appendix section contains intermediate results and proofs of the statements omit- 
ted in Section m 

Proposition B.l. Let P £V and a £ O. P must a implies P fair a. 

Proof. By contradiction, suppose P fa/ir a, i.e. there is a maximal computation from P \ a 

P\o = To^T^^ ...^Ti[^ ...] 

such that Ti 7^ for some i > 0, i.e. for every T'.Ti^ T' it holds that T' 7^. It follows 
that Ti Vj G [0..(i — l)].7j' -/—^ and V/i > i. T^ by hypothesis on Ti. In fact, since 
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u can not synchronize, it does not disappear once it is at the top level of a term. It follows 
that the above computation is such that Vj > 0. Tj i.e. P rryiisto. D 

Proposition B.2. 3P G "P. 3o € O. P fairo and P rryhsto. 

Proof. Consider P = {iyb)(b \ Ib.b) \ a and o = a.uj. Since {i'b)(b \ Ib.b) — ^ {i'b){b \ Ib.b) — ^ . . . , 
there is an unsuccessful maximal computation from P \ a, i.e. P njhsto. However, P fairo, 
since every maximal computation from P \ a 

p\o = To-^Ti^ ...^Ti^ ... 

is such that either Vi > 0. Tj = {i'b)(b \ Ib.b) \ a \ a.u> or 3j > 1. Tj = {iyb)(b \ Ib.b) \ uj and 
Vi G [0..(i - l)].Ti = {ub){b \ Ib.b) \a\a.io and Ti ^ Tj. □ 



Appendix C. Weak-fair must, strong-fair must and fair-testing semantics 

Lemma C.l. MS G f ^ 

1. Ll{S) is a finite set; 

2. S implies Ll{S) = 0; 

3. ve Ll{S) implies 3S' e£^. S ^ S' and MS". S' ^ S" . v Ll{S"); 

4. 3S' £g^. S', Ll{S) n Ll{S') = and MS". S' ^ S" . Ll{S) n Ll{S") = 0. 

Proof We recall that VS* G Ll{S) C top{S) C lab{S). Items (1) and (2) are trivial. 
Consider ite m (3 ). S' is the term obtained from S by performing the action labeled by v: 



by Theorem 



4.8 



holds. 



V lab{S') and for every S" such that S' ^ S" , v ^ lab{S' 
Hence v Ll{S') and for every S" such that S' ^ S" , v Ll{S") holds. 

To prove item (4) it suffices to apply the previous item, where fi = t. The term S' is 
obtained from S by performing any v G Ll{S) and such that for every v G Ll{S) and every 
S" such that S' ^ S" either v lab{S') (following that v lab{S")) orv ^ Ll{S") and 
V G lab{S'). In both cases, Ll{S)nLl{S') = and Ll{S)nLl{S") = 0. Since is finite, 

such S' exists. 

Lemma C.2. Let S £ and S 

computation from S. If 3S'q, S'l, S'2, 

S' = S'o 



CI Q 

Do > 01 > . . . - 

. , S'n £ S*^ such that 



Si 



□ 

be a strong-fair 



then 

S' ^S[^ 
is a strong-fair computation from S' . 

Proof. Consider C = S' — ^ S[ — ^ . 
S, 



.S[ 

s„ - 



Si 



S,. 



0/ 



where 



Vj > 0. S'^^j ::= Sj. Obviously C is a maximal computation from S' . To prove that C is 
also strong-fair, it suffices to prove that \/v G ({0,1}* x N). 3h > 0. \/k > h. v ^ Ll{S'j.). 



Since S' 



S„ 



n+l 



or 



is a strong-fair computation from S'^, then 



yv G ({0, 1}* xn).3h>n.yk>h.v^ Ll{S'^). Since n > 0, G ({0, 1}* x N). 3/i > 0. 
yk > h. V ^ Ll(S'i^). I.e., C is a strong-fair computation from S' . □ 
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